# A filter to block random test attacks on my server
#
# Matches e.g.
# put some new matches here


#
[Definition]

bashfragments_generic = \(\) \{ :;\};|\(\) \{ :; \};|\(\) \{.*\};
bashfragments_2 = /bin/bash -|bash -

## Starting with shellshock
failregex = ^<HOST> -.* "(?:%(bashfragments_generic)s)|(?:%(bashfragments_2)s)

            ## Admin attacks
            ^<HOST> -.* "(POST|HEAD|GET) /administrator/
            ^<HOST> -.* "(POST|HEAD|GET) .*/administrator/
            ^<HOST> -.* "(POST|HEAD|GET) /admin/
            ^<HOST> -.* "(POST|HEAD|GET) .*/admin/
            ^<HOST> -.* "(POST|HEAD|GET) /manager/
            ^<HOST> -.* "(POST|HEAD|GET) /dbadmin/
            ^<HOST> -.* "(POST|HEAD|GET) /pma
            ^<HOST> -.* "(POST|HEAD|GET) /phpMyAdmin/
            ^<HOST> -.* "(POST|HEAD|GET) /phpmyadmin

            ## wordpress attacks
            ^<HOST> -.* "(POST|HEAD|GET) /wordpress/
            ^<HOST> -.* "(POST|HEAD|GET) /wp/
            ^<HOST> -.* "(POST|HEAD|GET) /wp-include/
            ^<HOST> -.* "(POST|HEAD|GET) .*/wp-admin/
            ^<HOST> -.* "(POST|HEAD|GET) .*wp-login.php
            ^<HOST> -.* "(POST|HEAD|GET) /wp-json/

            ## CGI attacks
            ^<HOST> -.* "(POST|HEAD|GET) /cgi-bin/
            ^<HOST> -.* "(POST|HEAD|GET) /cgi-mod/
            ^<HOST> -.* "(POST|HEAD|GET) /cgi-sys/
            ^<HOST> -.* "(POST|HEAD|GET) /sys-cgi/
            ^<HOST> -.* "(POST|HEAD|GET) /cgi-bin.*
            ^<HOST> -.* "(POST|HEAD|GET) /cgi/common.cgi

            ## Generic attacks
            ^<HOST> -.* "(POST|HEAD|GET) .*setup.php
            ^<HOST> -.* "(POST|HEAD|GET) .*login.php
            ^<HOST> -.* "(POST|HEAD|GET) .*admin.php
            ^<HOST> -.* "(POST|HEAD|GET) /login/
            ^<HOST> -.* "(POST|HEAD|GET) /script
            ^<HOST> -.* "(POST|HEAD|GET) /phppath/
            ^<HOST> -.* "(POST|HEAD|GET) .*/install/

            ## File system attacks
            ^<HOST> -.* "(POST|HEAD|GET) /.ssh
            ^<HOST> -.* "(POST|HEAD|GET) /.git
            ^<HOST> -.* "(POST|HEAD|GET) /readme.html
            ^<HOST> -.* "(POST|HEAD|GET) /CHANGELOG.txt
            ^<HOST> -.* "(POST|HEAD|GET) /.env

            ### WTF attacks
            ^<HOST> -.* ""
            ^<HOST> -.* "quit"
            ^<HOST> -.* "test"
            ## This should block binary?
            ^<HOST> -.* "\S*\\x
            ## Blocks odd attempt to redirect?
            ^<HOST> -.* "(POST|HEAD|GET) http.*
            ^<HOST> -.* "SSH-2.0-libssh2_1.7.0"
            ^<HOST> -.* "JDWP-Handshake
            ^<HOST> -.* "SSH-2.0-Go

            ## Unwanted Methods
            ^<HOST> -.* "PROPFIND
            ^<HOST> -.* "CONNECT
            ^<HOST> -.* "PUT
            ^<HOST> -.* "OPTIONS

            ## Bad Redirects
            ## https? makes 's' optional, ending /? makes trailing slash optional
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.ru/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.xrus.org/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://avtoguru.pro/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://narosty.com/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://azartmix.com/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://kinoflux.net/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://souvenir.cc/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://meds-online24.com/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://mylida.org/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://dokfilms.net/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://chcu.net/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://surgut.xrus.org/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://xn--b1ag5cfn.xn--p1ai/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://www.avtolombard-krasnodar.com/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://bonkers.name/?"
            ^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://.*.ua/?"
            #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
            #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
            #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"
            #^<HOST> -.* "(POST|HEAD|GET) .*" [0-9]+ [0-9]+ "https?://"

            ## Misc attacks I havelogged
            ^<HOST> -.* "(POST|HEAD|GET) /tmUnblock.cgi
            ^<HOST> -.* "(POST|HEAD|GET) /muieblackcat
            ^<HOST> -.* "(POST|HEAD|GET) /themes/elastixneo/ie.css
            ^<HOST> -.* "(POST|HEAD|GET) /docs/funcspecs/3.jsp
            ^<HOST> -.* "(POST|HEAD|GET) /a2billing/
            ^<HOST> -.* "(POST|HEAD|GET) /user/soapCaller.bs
            ^<HOST> -.* "(POST|HEAD|GET) /w00tw00t.*
            ^<HOST> -.* "(POST|HEAD|GET) /HNAP1/
            ^<HOST> -.* "(POST|HEAD|GET) /rom-0
            ^<HOST> -.* "(POST|HEAD|GET) /hndUnblock.cgi
            ^<HOST> -.* "(POST|HEAD|GET) /checkout/
            ^<HOST> -.* "(POST|HEAD|GET) /Ringing.at.your.dorbell
            ^<HOST> -.* "(POST|HEAD|GET) /_asterisk
            ^<HOST> -.* "(POST|HEAD|GET) /server-status
            ^<HOST> -.* "(POST|HEAD|GET) /language/Swedish*/string.js
            ^<HOST> -.* "(POST|HEAD|GET) /../../../../../../../mnt/mtd/vBj5
            ^<HOST> -.* "(POST|HEAD|GET) //console/j_security_check
            ^<HOST> -.* "(POST|HEAD|GET) /xmlrpc.php
            ## Disabled due to ttrss and unsanitized rss?
            #^<HOST> -.* "(POST|HEAD|GET) /imgs/*
            ^<HOST> -.* "(POST|HEAD|GET) /tag/ HTTP
            ^<HOST> -.* "(POST|HEAD|GET) /invoker/EJBInvokerServlet
            ^<HOST> -.* "(POST|HEAD|GET) /stssys.htm
            ^<HOST> -.* "(POST|HEAD|GET) .*/elfinder.html
            ^<HOST> -.* "(POST|HEAD|GET) /web-console
            ^<HOST> -.* "(POST|HEAD|GET) /jmx-console
            ^<HOST> -.* "(POST|HEAD|GET) /invoker/JMXInvokerServlet
            ^<HOST> -.* "(POST|HEAD|GET) /x HTTP
            ^<HOST> -.* "(POST|HEAD|GET) /jenkins/script
            ^<HOST> -.* "(POST|HEAD|GET) /RemoteControl.html
            ^<HOST> -.* "(POST|HEAD|GET) /www/start.html
            ^<HOST> -.* "(POST|HEAD|GET) /Http/DataLayCfg.xml
            ^<HOST> -.* "(POST|HEAD|GET) /current_config/
            ^<HOST> -.* "(POST|HEAD|GET) /struts2-showcase/
            ^<HOST> -.* "(POST|HEAD|GET) /pmd
            ^<HOST> -.* "(POST|HEAD|GET) /recordings/
            ^<HOST> -.* "(POST|HEAD|GET) /logo_img.php.suspected
            ^<HOST> -.* "(POST|HEAD|GET) /webdav
            ^<HOST> -.* "(POST|HEAD|GET) /sftp-config.json
            ^<HOST> -.* "(POST|HEAD|GET) /ccvv
            ^<HOST> -.* "(POST|HEAD|GET) /xxbb
            ## Blocks after requests with null useragent.
            ^<HOST> -.* "(POST|HEAD|GET).*"-"$
            ^<HOST> -.* "(POST|HEAD|GET) /cfg/000000000000.cfg
            ^<HOST> -.* "(POST|HEAD|GET) /RPC2
            ## Blocks after request with useragent set to literal "null"
            ^<HOST> -.* "(POST|HEAD|GET).*"null"$
            ^<HOST> -.* "(POST|HEAD|GET) /KlfhsYYs
            ^<HOST> -.* "(POST|HEAD|GET) /static/UI_win7/js/login.js
            ## Blocks attacks sending characters used for shell commands
            ^<HOST> -.* "(POST|HEAD|GET) .*(%%21|%%22|%%23|%%24|%%25|%%26|%%27|%%28|%%29|%%2A|%%2C|%%3B|%%5B|%%5C|%%5D|%%60)
            ^<HOST> -.* "(POST|HEAD|GET) /nogFoot
            ^<HOST> -.* "(POST|HEAD|GET) /nogHead
            ^<HOST> -.* "(POST|HEAD|GET) /user/register
            ^<HOST> -.* "(POST|HEAD|GET) /rss.php\?mode=recent
            ^<HOST> -.* "(POST|HEAD|GET) /wls-wsat/CoordinatorPortType
            ^<HOST> -.* "(POST|HEAD|GET) /stalker_portal
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 
            #^<HOST> -.* "(POST|HEAD|GET) 

#ignoreregex = ^<HOST> -.* "(POST|HEAD|GET) /.*
ignoreregex = ^<HOST> -.* "(POST|HEAD|GET) /.well-known/openpgpkey
